You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@maven.apache.org by "Paul Gier (JIRA)" <ji...@codehaus.org> on 2012/10/08 23:42:36 UTC

[jira] (MENFORCER-138) Rule to ban all transitive dependencies

     [ https://jira.codehaus.org/browse/MENFORCER-138?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Paul Gier updated MENFORCER-138:
--------------------------------

    Fix Version/s: 1.2
    
> Rule to ban all transitive dependencies
> ---------------------------------------
>
>                 Key: MENFORCER-138
>                 URL: https://jira.codehaus.org/browse/MENFORCER-138
>             Project: Maven 2.x Enforcer Plugin
>          Issue Type: New Feature
>          Components: Standard Rules
>            Reporter: Paul Gier
>            Assignee: Paul Gier
>             Fix For: 1.2
>
>
> In some projects it's necessary (or at least desirable) to have all dependencies explicitly specified in pom.  We have a build requirement to use a strictly controlled maven repository which includes only artifacts which are necessary and have been reviewed/approved.  In order to meet this requirement, each new dependency in the build much be reviewed before each release.  This can be done by periodically reviewing the dependency tree and cleaning up any unnecessary dependencies, but it would be more efficient if the developer adding the dependency was immediately notified that new (possibly unnecessary) dependencies were added to the build and not explicitly defined.  The developer can immediately choose whether to exclude the transitive dependency (if it's not really needed), or declare the dependency and control the version using dependency management.  Doing this checking up front when the build is modified is more efficient than periodically reviewing the dependency tree after several upgrades may have taken place.
> It In order to facilitate this use case, an enforcer rule could check that all dependencies are explicitly defined unless they are specifically marked to be ignored.  This would ban all transitive dependencies so that the user could either add the transitive dependency directly to the pom (if it's actually needed), or exclude the dependency using exclusions in the dependency management, or marked to be ignored using something like an <excludes> parameter similar to other standard enforcer rules.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://jira.codehaus.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira